Verify Privilege For Different Channels in openbmc-test-automation

[Tony Lee (李文富)]

I'm sorry, we also do not have dual channel system currently.
Once we have, it will be tested and updated for these two test cases.

From: Rahul Maheshwari <rahulmaheshwari01 at gmail.com> 
Sent: Tuesday, January 21, 2020 1:21 PM
To: Thomaiyar, Richard Marian <richard.marian.thomaiyar at linux.intel.com>
Cc: Tony Lee (李文富) <Tony.Lee at quantatw.com>; openbmc at lists.ozlabs.org
Subject: Re: Verify Privilege For Different Channels in openbmc-test-automation

Thanks Richard for correcting. Yes, there is a need to update this test case. 

Tony
We don't run this test case on our systems as we dont have dual channel system. Can you fix this test case?

Thanks
Rahul

On Tue, Jan 21, 2020 at 10:29 AM Thomaiyar, Richard Marian <mailto:richard.marian.thomaiyar at linux.intel.com> wrote:
Hi Tony / Rahul,

1. sel info 1  (I don't think sel info can get channel number, as sel is 
not based on channel numbers)

2. user list can be queried through channel number i.e. "user list 1" 
will query user privileges as per channel number 1 and "user list 3" 
will query user privileges as per channel number 3. But it doesn't 
determine the incoming channel number.

i.e. if a system is having 2 LAN Channels, then LAN channel privilege is 
based on the IP address of those channels

say channel 1 is having IP x.y.z.1 & channel 3 is having IP x.y.z.3  and 
channel 3 is with NoAccess

then executing following command will pass

ipmitool -I lanplus -H x.y.z.1 -U root -P 0penBmc user list 1

ipmitool -I lanplus -H x.y.z.1 -U root -P 0penBmc user list 3

Following command execution will fail

ipmitool -I lanplus -H x.y.z.3 -U root -P 0penBmc user list 1 --> will 
fail if channel 3 is with NoAccess privilege for user root

ipmitool -I lanplus -H x.y.z.3 -U root -P 0penBmc user list 1 --> will 
fail if channel 3 is with NoAccess privilege for user root

Please update the test case accordingly.

Regards,

Richard

On 1/21/2020 8:39 AM, Tony Lee (李文富) wrote:
>> Are you saying that with NoAcess for channel x, you are able to get the IPMI
>> response.
> Yes.
>
>> please note: -H x.x.x.x  determines, which channel you are trying to
>> communicate. Try the other IP address (because not sure, which channel is
>> configured to what IP).
> This is as I expected!
> However, please look at the cases "Verify Administrator And No Access Privilege For Different Channels"
> and "Verify Operator And User Privilege For Different Channels" in test_ipmi_user.robot.
> For example: case "Verify Administrator And No Access Privilege For Different Channels" at the last two "Verify" steps:
> '''
> # Verify that user is able to run administrator level IPMI command with channel 1.
> Verify IPMI Command  ${random_username}  ${valid_password}  Administrator  1
>
> # Verify that user is unable to run IPMI command with channel 2.
> Run IPMI Standard Command  sel info 2  expected_rc=${1}  U=${random_username}  P=${valid_password}
> '''
>
> In this case, first, there is only one IP address.
> second, I can't find a description or SPEC about command like
> "ipmitool -I lanplus -C 3 -p 623 -U YmRBwDUS -P 0penBmc1 -H x.x.x.x -L Administrator sel info 1"
> which mean user is able to run IPMI command with channel 1.
>
> If the method for out-of-band communication using different channels is the same as you described,
> do we need to fix these two cases?
>
>> Regards,
>>
>> Richard
>>